Performing process control services on endpoint machines

ABSTRACT

Some embodiments of the invention provide a method for performing services on an endpoint machine in a datacenter. On the endpoint machine, the method installs a guest introspection (GI) agent and a service engine. In some embodiments, the GI agent and the service engine are part of one monitor agent that is installed on the endpoint machine. The method then registers with a set of one or more notification services on the endpoint machine, the GI agent to receive notifications regarding new data message flow events on the endpoint machine. Through the notifications, the GI agent captures contextual data items regarding new data message flows, and stores the captured contextual data items. The service engine then performs a service for the data message flow based on the captured contextual data.

BACKGROUND

Traditional firewall solutions have been designed to enforce network access controls on two types of traffic flows, north-south flows and east-west flow. Firewall rules on north-south flow are enforced at the perimeter (edge) of a network (e.g. a datacenter network). This provides an ability to the security administrator to create firewall rules to control the flow of traffic in and out of the datacenter. East-west traffic flows are between different endpoints within a network (e.g., within a datacenter network).

In recent years, some have suggested distributed firewall architectures that deploy firewall service virtual machines (SVMs) or service engines on computers that host virtual machines (VMs) or containers. In such systems, the security administrator can configure, manage and enforce both north-south and east-west flows on both physical and logical entities. For example, a rule can be created to only allow TCP traffic on port 80 for any network interface on a logical network X. Such rules can be managed centrally but enforced in a distributed fashion on each host computer with a hypervisor.

In recent years, the number of applications that run inside the datacenter has increased dramatically. In such environments, a big challenge for the security and the application administrator is the ability to control the flow of traffic inside and outside of the network. Using distributed firewall, the administrator may be able to create rules using the traditional five-tuple approach or even add an additional attribute, such as L7 based services. This, however, does not provide the capability of an application process based attribute in either the source or the destination field of the rule. There are existing solutions in the market today that could provide firewalling functionalities inside the endpoint by using an agent and can provide application process level controls. These, however, do not have the ability to process virtual networking and security entities.

BRIEF SUMMARY

Some embodiments of the invention provide a method for performing services on an endpoint machine in a datacenter. On the endpoint machine, the method installs a guest introspection (GI) agent and a service engine. In some embodiments, the GI agent and the service engine are part of one monitor agent that is installed on the endpoint machine. The method then registers with a set of one or more notification services (e.g., network driver services, file system services) on the endpoint machine, the GI agent to receive notifications regarding new data message flow events and/or file system events on the endpoint machine.

Through the network service notifications, the GI agent captures contextual data items regarding new data message flows, and stores the captured contextual data items. Also, through these notifications, the service engine identifies data message flows associated with the endpoint machine and performs a service on the identified data message flows based on the stored contextual data items associated with the new data message flows. The service engine performs the service on the data messages based on service rules, each of which comprises a rule identifier and a service action, with the rule identifiers of at least a subset of service rules defined by reference to at least one contextual data item. In some embodiments, the contextual data items include data message attributes other than layer 2, layer 3 and layer 4 header values, such as layer 7 data tuples (e.g., user group identifiers, etc.) or other associated data tuples (e.g., identifiers of processes associated with the data message flows).

In some embodiments, the service engine receives notifications regarding a first data message in a new data message flow, performs the service on the first data message based on at least one stored contextual data item, and stores the result of the service on the first data message in a connection cache in order to re-use the stored result for subsequent data messages in the data message flow. Also, in some embodiments, the GI agent identifies through the notifications, newly launched processes executing on the endpoint machine, captures contextual data items regarding the identified processes, stores the captured contextual data items, and specifies stored contextual data items for new data message flows for the service engine to use when new data message flows associated with the processes are received.

As further described below, the service engine in some embodiments performs service operations on processes executing on the endpoint machine based on contextual data captured for the process. In some embodiments, the GI agent also receives through the notification additional contextual data regarding operations of previously launched processes (e.g., the type of files such processes are accessing, etc.), and based on this information the service engine performs service operations on data message flows associated with the processes and/or on the processes themselves. The service engine in some embodiments performs one or more middlebox service operations. Examples of middlebox services that the service engines perform in some embodiments include firewall operations, load balancing operations, intrusion detection operations, intrusion prevention operations, or any other middlebox operation.

Some embodiments of the invention provide a method for performing process-control services on processes executing on endpoint machines in the datacenter. Initially, on an endpoint machine, the method installs a GI agent and a service engine, which can be part of one monitor agent that is installed on the endpoint machine. The method then registers with a set of one or more notification services on the endpoint machine, the GI agent to receive notifications regarding new process events on the endpoint machine.

Through the notifications, the GI agent captures contextual data items regarding a newly launched or a previously launched process on the endpoint machine, and stores the captured contextual data items. Based on the contextual data items stored for the process, the service engine performs a process-control action on the newly launched or previously launched process. The process-control action in some embodiments can be Allow, Stop and Disallow, Stop and Terminate, which respectively would allow the launched process to proceed, stop the launched process and provide a notification regarding it being disallowed, or stop and terminate the launched process. In some embodiments, the process-control action in some embodiments also includes replicating the operations of the process in storage (e.g., in a sandbox) so that the process' operations can later be audited or reviewed. The process-control action in some embodiments also include malware detection and vulnerability operations. The service engine performs the process-control service based on service rules, each of which comprises a rule identifier and a service action, with the rule identifiers of at least a subset of service rules defined by reference to contextual attributes other than L2-L4 message header values.

In some embodiments, the GI agent notifies the service engine of each newly launched or certain previously launched processes. The GI agent in some embodiments provides at least one captured contextual data item to the service engine along with the notification regarding the process. Examples of contextual data associated with the process that the GI agent collects in some embodiments include process name, publisher, version, file hash, license info, etc. In some embodiments, the GI agent can identify the binary that started process and look up registry and/or the path to determine the contextual data.

In other embodiments, the service engine retrieves from a data storage at least one captured contextual data item that the GI agent stores in the storage for the process. In still other embodiments, the method registers with the set of notification services the service engine to receive notifications regarding a process (e.g., a new process launch event or a process file system access event) on the endpoint machine, and through such notifications, the service engine identifies process events in order to perform a service on the identified process or process event based on the contextual data items stored for the processes.

The method of some embodiments provides service rules to the endpoint machine from a server that belongs to a set of servers that manages performance of services the datacenter. In some embodiments, the server set manages services on other endpoint machines in the datacenter. These machines in some embodiments include machines executing on bare metal computers, virtual machines executing on hypervisors executing on host computers, and/or containers executing on host computers. The server set in some embodiments installs the monitor agent on one or more endpoint machine during a service deployment process that configures the endpoint machines to receive service rules form the sever set.

The preceding Summary is intended to serve as a brief introduction to some embodiments of the invention. It is not meant to be an introduction or overview of all inventive subject matter disclosed in this document. The Detailed Description that follows and the Drawings that are referred to in the Detailed Description will further describe the embodiments described in the Summary as well as other embodiments. Accordingly, to understand all of the embodiments described by this document, a full review of the Summary, Detailed Description, the Drawings and the Claims is needed. Moreover, the claimed subject matters are not to be limited by the illustrative details in the Summary, Detailed Description and the Drawing.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features of the invention are set forth in the appended claims. However, for purposes of explanation, several embodiments of the invention are set forth in the following figures.

FIG. 1 illustrates a service-management system of some embodiments of the invention.

FIG. 2 illustrates a process control set of operations that is performed in some embodiments.

FIG. 3 illustrates an exemplary firewall process that is performed in some embodiments.

FIGS. 4A and 4B illustrates alternative processes that are performed in some embodiments to provide firewall services on an endpoint machine.

FIG. 5 illustrates a process that some embodiments perform to create, deploy and enforce endpoint service based firewall rules.

FIG. 6 conceptually illustrates a computer system with which some embodiments of the invention are implemented.

DETAILED DESCRIPTION

In the following detailed description of the invention, numerous details, examples, and embodiments of the invention are set forth and described. However, it will be clear and apparent to one skilled in the art that the invention is not limited to the embodiments set forth and that the invention may be practiced without some of the specific details and examples discussed.

Some embodiments of the invention provide a service-management system for performing services on endpoint machines in a datacenter. On each of several endpoint machines, the service-management system installs a guest introspection (GI) agent and a service engine. In some embodiments, the GI agent and the service engine are part of one monitoring agent that service-management system installs on the endpoint machine. With a set of one or more notification services on the endpoint machine, the service-management system registers the GI agent to receive notifications regarding new data message flow events and/or file system events on the endpoint machine.

Through the network service notifications, the GI agent captures contextual data items regarding new data message flows, and stores the captured contextual data items. Also, through these notifications, the service engine identifies data message flows associated with the endpoint machine and performs a service on the identified data message flows based on the stored contextual data items associated with the new data message flows. The service engine performs the service on the data messages based on service rules. Each of the service rules comprises a rule identifier and a service action, with the rule identifiers of at least a subset of service rules defined by reference to contextual attributes that are different than L2-L4 header values.

In some embodiments, the service engine receives notifications regarding a first data message in a new data message flow, performs the service on the first data message based on at least one stored contextual data item, and stores the result of the service on the first data message in a connection cache in order to re-use the stored result for subsequent data messages in the data message flow. Also, in some embodiments, the GI agent identifies through the notifications, newly launched processes executing on the endpoint machine, captures contextual data items regarding the identified processes, stores the captured contextual data items, and specifies stored contextual data items for new data message flows for the service engine to use when new data message flows associated with the processes are received.

As further described below, the service engine in some embodiments performs service operations on processes executing on the endpoint machine based on contextual data captured for the process. In some embodiments, the GI agent also receives through the notification additional contextual data regarding operations of previously launched processes (e.g., the type of files such processes are accessing, etc.), and based on this information the service engine performs service operations on data message flows associated with the processes and/or on the processes themselves. The service engine in some embodiments performs a middlebox service in some embodiments. Examples of middlebox services that the service engines perform in some embodiments include firewall operations, load balancing operations, intrusion detection operations, intrusion prevention operations, or any other middlebox operation.

In some embodiments, the service-management system also performing process-control services on processes executing on endpoint machines in the datacenter. With a set of one or more notification services on the endpoint machine, the GI agent in these embodiments registers to receive notifications regarding new process events on the endpoint machine. Through the notifications, the GI agent captures contextual data items regarding newly launched or previously launched process on the endpoint machine, and stores the captured contextual data items.

Based on the contextual data items stored for the process, the service engine performs a process-control (PC) service on a newly launched or previously launched process. The process-control action in some embodiments can be Allow, Stop and Disallow, Stop and Terminate, which respectively would allow the launched process to proceed, stop the launched process and provide a notification regarding it being disallowed, or stop and terminate the launched process. In some embodiments, the process-control action in some embodiments also includes replicating the operations of the process in storage (e.g., in a sandbox) so that the process' operations can later be audited or reviewed. The process-control action in some embodiments also includes malware detection and vulnerability operations. The service engine performs the PC service based on service rules, each of which comprises a rule identifier and a service action, with the rule identifiers of at least a subset of service rules defined by reference to contextual attributes that are different than L2-L4 message header values.

In some embodiments, the GI agent notifies the service engine of each newly launched or previously launched process. The GI agent in some embodiments provides at least one captured contextual data item to the service engine along with the notification regarding the process. In other embodiments, the service engine retrieves from a data storage at least one captured contextual data item that the GI agent stores in the storage for the newly launched process. In still other embodiments, the service-management system registers the service engine with the set of notification services the service engine to receive notifications regarding a process (e.g., a new process launch event or a process file system access event) on the endpoint machine, and through such notifications, the service engine identifies process events in order to perform a service on the identified process or process event based on the contextual data items stored for the processes.

As used in this document, data messages refer to a collection of bits in a particular format sent across a network. One of ordinary skill in the art will recognize that the term data message may be used herein to refer to various formatted collections of bits that may be sent across a network, such as Ethernet frames, IP packets, TCP segments, UDP datagrams, etc. Also, as used in this document, references to L2, L3, L4, and L7 layers (or layer 2, layer 3, layer 4, layer 7) are references respectively to the second data link layer, the third network layer, the fourth transport layer, and the seventh application layer of the OSI (Open System Interconnection) layer model.

The discussion below refers to containers, virtual machines and bare metal servers as endpoint machines. In some embodiments, an endpoint machine is a machine from which a data message flow originates, or is a machine at which a data message flow terminates and is consumed by the machine. A container is stand-alone, executable software package that includes everything needed to run it (e.g., code, runtime, system tools, system libraries, settings). Containers are available through a number of companies today, including Docker, Google, etc. Unlike virtual machines (VMs), containers are often constructs that run on top of a host operating system without the need for a hypervisor or separate guest operating system. In some cases, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers. This segregation is akin to the VM segregation that is offered in hypervisor-virtualized environments that virtualize system hardware, and thus can be viewed as a form of virtualization that isolates different groups of applications that operate in different containers.

VMs, on the other hand, operate typically with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.). The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system. A bare metal server is a single tenant physical server in some embodiments. In some embodiments, bare-metal servers do not run a hypervisor and are not virtualized. A bare-metal server in other embodiments can have a VM running on it but if so, it only has the VM of one tenant running on it.

FIG. 1 illustrates a service-management system 100 of some embodiments of the invention. As shown, this system 100 includes a set of one or more service managers 102 that manage service engines and service machines that are deployed on host computers in a multi-tenant datacenter to perform services on these computers. The service engines/machines in some embodiments perform service operations on (1) processes executing on the host computers and (2) data messages received and/or sent by the host computers.

As further described below, these service operations in some embodiments can be based on contextual attributes that are associated with the processes and/or data messages. GI agents of the service-management system 100 capture these contextual attributes on the host computers in some embodiments. The service operations of the service engines/machines on the data messages can also be based on header values (e.g., L2-L4 header values) of the data messages, as further described below.

The service manager set 102 and the host computers 110-116 communicate through an internal network 120 of the datacenter. Even though in this example the service manager set 102 is in one datacenter with the host computers 110-116 that it manages, one of ordinary skill will realize that in other embodiments one or more of the components (e.g. the service managers or host computers) are in different physical locations (e.g., in different neighborhoods, cities, regions, states, etc.). In some these embodiments, the service manager set connects to host computers at other locations through external networks, such as the Internet.

In the service-management system 100 of FIG. 1, the host computers include (1) host computers 114 that execute containers, and (2) bare metal computers 116 that execute applications for only one tenant. The host computers in this example also include two other types of host computers 110 and 112. Both these types of host computers execute guest virtual machines (GVMs) 134 of tenants of the datacenter. The host computers 110 of the first type execute hypervisors 122 that have service engines or service VMs (SVMs) that can be configured by the service manager set 102, while the host computers 112 of the second type execute hypervisors 124 that do not have service engines or SVMs that can be configured by the service manager set 102.

In some embodiments, the service-management system 100 is part of a compute virtualization system that deploys VMs on host computers with hypervisors of a particular type, but not on host computers with other types of hypervisors. In other embodiments, the host computers 112 are in datacenters (e.g., are in public clouds) that are not under the control the administrators of the service-management system 100.

The service-management system 100 provides different mechanisms for the service manager set 102 to capture contextual attributes for context-rich service rules and to process these rules on different host computers in the datacenter. On a host computer 110 with a hypervisor that the system can directly configure, GI agents 136 of the service-management system execute on the GVMs 134, which execute on top of the hypervisor. In addition to the GVMs 134 and their GI agents 136, the host computers 110 also execute context engines 138 and one or more attribute-based service engines 137 and/or SVMs 139.

The GI agents 136 capture contextual attributes regarding newly launched processes, previously launched processes, and new data message flows to and from the GVMs, and provide these contextual attributes to the context engine 138 of the hypervisor. The context engine 138 then provides these contextual attributes to one or more service engines 137 and/or SVMs 139 executing on the host computer 110. The context engine can provide these contextual attributes based on either a push model (where the context engine sends the captured contextual attributes without the service engine requesting the attributes) or a pull model (where the context engine provides the captured contextual attributes in response to a request from the service engine).

In some embodiments, the service engines 137 operate in the kernel space of their associated hypervisors, while the SVMs 139 and GVMs 134 operates in the user space of their hypervisors. The service engines 137 are hypervisor-provided service modules in some embodiments, while the SVMs 139 are hypervisor-vendor SVMs and/or third-party SVMs (e.g., third party firewall SVMs, like those offered by Palo Alto Networks) that execute over the hypervisors on the host computers 110. In other embodiments, the service engines 137 also operate in the user space of the hypervisor.

The service engines 137 and/or SVMs 139 can use the captured contextual attributes to identify context-based service rules that specify service actions to perform on processes executing on the GVMs and/or data message flows sent by or received for the GVMs. The service engines 137 and/or SVMs 139 can also use header values (e.g., L2-L4 header values) of the data messages to identify service rules that specify service actions to perform on the data messages sent by and/or received for the GVMs. Several detailed architectures, systems and processes for providing contextual-based services on host computers 110 with managed hypervisors are described in U.S. patent application Ser. No. 15/650,251, filed Jul. 14, 2017. U.S. patent application Ser. No. 15/650,251 is incorporated herein by reference.

To enable context-rich services on the host computers 112-116 that do not have hypervisors that the service-manager set 102 can configure, the service-management system in some embodiments deploys a monitoring agent 150 in each endpoint machine associated with these host computers, and this monitoring agent 150 provides both the context capture and the processing of the context-based service rules. The endpoint machines on the host computers 112-116 are different. On the host computers 112, the GVMs 164 are the endpoint machines, and they are similar to the GVMs 134 that serve as endpoint machines on host computers 110 with hypervisors managed by the service manager set. On host computers 114, the endpoint machines are the containers 118. A bare metal computer 116 is itself the endpoint machine.

As shown, the monitoring agent 150 includes both a GI agent 155 and one or more service engines 160. Also, in these embodiments, the GI agent 155 performs both the context-capturing operations of the GI agent 136 and the context-repository operations of the context engine 138. Like the GI agents 136 of the GVMs with the managed hypervisors, the GI agents 155 register with notification services of their respective endpoint machines to receive notifications regarding newly launched processes and/or previously launched processes on their endpoint machines, and/or regarding new message flows sent by or received for their endpoint machine.

Different endpoint machines provide different APIs for GI agents 136 and 155 to use to register for such notification requests. For instance, on endpoint machines that execute Microsoft Windows, the GI agent in some embodiments registers hooks in the Windows Filtering Platform (WFP) to obtain network events, while registering in the Window's Process Subsystem to collect process related attributes. In some embodiments, the GI agent registers a hook at the Application Layer Enforcement (ALE) layer of WFP, so that it can capture all socket-connection requests from application processes on the VM.

After receiving notifications regarding a newly launched process or previously launched process executing on its endpoint machine, or a new message flow sent by or received for its endpoint machine, the GI agent 155 interacts with the endpoint machine modules to capture contextual attributes regarding the identified process, process events or data message flow. The GI agent 155 provides the captured contextual attributes to a service engine 160 based on either a push model (where the GI agent sends the captured contextual attributes without the service engine requesting the attributes) or a pull model (where the GI agent provides the captured contextual attributes in response to a request from the service engine).

Each service engine 160 can use the captured contextual attributes to identify context-based service rules that specify service actions to perform on processes executing on its respective endpoint machine and/or data message flows sent by or received for the endpoint machine. A service engine 160 can also use header values (e.g., L2-L4 header values) of the data messages that it process to identify service rules that specify service actions to perform on the data messages sent by and received for its respective endpoint machine.

The service-management system 100 uses the monitoring agents 150 to perform context-based services on endpoint machines on host computers 112-116, because it cannot deploy context or service engines outside of the endpoint machines on these computers. Moreover, the system cannot always ensure that it will always have reliable access to SVMs or service containers executing on these host computers. Even when it can have reliable access to such SVMs or service containers, it needs a mechanism to capture contextual attributes and to seamlessly provide the captured contextual attributes to the SVMs and/or service containers. However, on host computers without hypervisors managed by the service manager set 102, the service-management system 100 cannot reliably provide captured contextual attributes from GI agents to SVMs or service containers executing on the host computers.

FIG. 2 illustrates a PC process 200 that is performed in some embodiments by the GI agent 155 and the service engine 160 of a monitoring engine on an endpoint machine (such as GVM 164, containers 118, or bare metal server 116). The process 200 captures contextual attributes regarding a newly launched process and then uses the captured contextual attributes to perform a PC service for the detected, newly launched process.

The process 200 starts when the GI agent 155 detects (at 205) a launch of a new process. As mentioned above, the GI agent 155 in some embodiments registers with one or more notification services on the endpoint machine to receive notification of certain process and flow events. In some embodiments, the launch of a new process is one type of event for which the GI agent registers for notifications. Hence, in these embodiments, the GI agent 155 detects (at 205) that a new process has been launched when the process subsystem of the GI agent's respective endpoint machine sends the GI agent a new process notification. This process notification in some embodiments includes an identifier that identifies the newly launched process.

The GI agent 155 then interacts (at 210) with one or more modules (e.g., the notification service modules) of its endpoint machine to collect and store contextual attributes relating to the newly launched process. In some embodiments, these attributes include the name of the application associated with the launched process, the application version, the identifier (ID) of the user account that launched the process, the group ID associated with the user account (e.g., the LDAP group (e.g., Active Directory group) to which the user account belongs), a threat level of the application, a resource consumption metric associated with the launched process, publisher of the application associated with the process, the file hash, the license information, etc.

At 215, the GI agent 155 then notifies a service engine 160 in its monitor agent 150 of the detected newly launched process. With this notification, the GI agent 155 also provides (at 215) the set of contextual attributes that it has collected for the launched process (e.g., provides an identifier for a storage location that stores the collected contextual attribute set). The service engine 160 receives this notification and the collected contextual attribute set at 220.

The service engine uses the collected contextual attribute set to identify (at 225) a PC rule in a PC rule data storage that it maintains. In some embodiments, the PC rules in this data storage are stored in a hierarchical manner (e.g., with priority levels for the rules to ensure that higher priority rules are selected before lower priority rules when multiple rules match a particular process). Also, in some embodiments, the PC rules in this data storage have rule identifiers that are defined in terms of one or more contextual attributes, such as application name, application version, user ID, group ID, threat level, resource consumption level, publisher of the application associated with the process, the file hash, the license information, etc. To identify the PC rule in the PC data store, the service engine 160 in some embodiments compares the collected contextual attributes with the rule identifiers of the PC rules to identify the highest priority rule that has an identifier that matches the collected attribute set.

When the process identifies a PC rule (at 225), it identifies (at 230) a PC action (e.g., Allow, Stop and Disallow, Stop and Terminate, etc.) of this rule, and then notifies (at 235) the GI agent 155 of this action. The GI agent receives (at 240) the notification for this action and then directs (at 245) a module on its endpoint machine to perform a PC operation based on the received action. When this operation is a disallow or a terminate, the service engine 160 directs the GI agent 155 to disallow or terminate the process. The GI agent then directs the process subsystem of the OS to disallow or terminate the process. After 245, the process ends.

In some embodiments, the process 200 performs other service operations for a detected process event. These operations include replicating the operations of the process in storage (e.g., in a sandbox) so that the process' operations can later be audited or reviewed. The process-control action in some embodiments also includes malware detection and vulnerability operations.

In addition to PC services, the service engines 160 in some embodiments perform middlebox service operations, such firewall operations, load balancing operations, intrusion detection operations, intrusion prevention operations, or any other middlebox operation. FIG. 3 illustrates an exemplary firewall process 300 that is performed in some embodiments by the GI agent 155 and the service engine 160 of a monitoring engine on an endpoint machine (such as GVM 164, containers 118, or bare metal server 116). The process 300 captures contextual attributes regarding a newly detected message flow and then uses the captured contextual attributes to perform a firewall operation for the detected, newly detected message flow.

The process 300 starts when the GI agent 155 detects (at 305) a start of a new data message flow. As mentioned above, the GI agent 155 in some embodiments registers with one or more notification services on the endpoint machine to receive notification of certain process and flow events. In some embodiments, the start of a new data message flow is one type of event for which the GI agent registers for notifications. For instance, on Windows machines, the GI agent registers a hook at the ALE layer of WFP, so that it can capture all socket-connection requests from application processes on the endpoint machine.

Accordingly, in some embodiments, the GI agent 155 detects (at 305) that a new data message flow has been started when the network stack of the GI agent's respective endpoint machine sends the GI agent a notification of a new requested data message flow. This notification in some embodiments includes a flow identifier (e.g., a five-tuple identifier) that identifies the newly detected message flow. The GI agent 155 then interacts (at 310) with one or more modules (e.g., the notification service modules) of its endpoint machine to collect and store contextual attributes relating to the newly detected message flow. In some embodiments, these attributes include the name of the application associated with the detected message flow, the application version, the identifier (ID) of the user account that started the process associated with the data message flow, the group ID associated with the user account (e.g., the LDAP group to which the user account belongs), a threat level of the application, a resource consumption metric associated with the detected message flow, etc.

At 315, the GI agent 155 then notifies a firewall engine 160 in its monitor agent 150 of the detected newly detected message flow. With this notification, the GI agent 155 also provides (at 315) the set of contextual attributes that it has collected for the detected message flow (e.g., provides an identifier for a storage location that stores the collected contextual attribute set). The firewall engine 160 receives this notification and the collected contextual attribute set at 320.

The firewall engine uses (at 325) the collected contextual attribute set to identify a firewall rule in a firewall rule data storage that it maintains. In some embodiments, the firewall rules in this data storage are stored in a hierarchical manner (e.g., with priority levels for the rules to ensure that higher priority rules are selected before lower priority rules when multiple rules match a particular flow).

Also, in some embodiments, the firewall rules in this data storage have rule identifiers that are defined in terms of one or more contextual attributes, such as application name, application version, user ID, group ID, threat level, resource consumption level, etc. The rule identifiers can also be defined in terms of L2-L4 message header values. To identify the firewall rule in the PC data store, the firewall engine 160 in some embodiments compares the collected contextual attributes and/or L2-L4 header values of the data message with the rule identifiers of the firewall rules to identify the highest priority rule that has an identifier that matches the data message's contextual attributes and/or L2-L4 header values.

When the process identifies (at 325) a firewall rule, it identifies (at 330) a firewall action (e.g., Allow, Drop, Redirect, etc.) of this rule, and then notifies (at 335) the GI agent 155 of this action. The GI agent receives (at 340) the notification for this action and then directs (at 345) a module on its endpoint machine (e.g., a module in the network stack of the endpoint machine) to perform the firewall operation based on the received action. For instance, when this operation is drop or redirect the data message, the service engine 160 in some embodiments directs the GI agent 155 to drop or redirect the data message, and the GI agent directs the network stack of the OS to drop or redirect the data message. After 345, the process ends.

In some embodiments, each time a firewall engine identifies a firewall rule to process a new data message, the firewall engine creates a record in a connection state cache to store the firewall action performed, so that when the firewall engine receives another data message within the same flow (i.e., with the same five-tuple identifier), it can perform the same firewall action that it performed on previous data messages in the same flow. The use of the connection state cache allows the firewall engine to process the data message flows more quickly. In some embodiments, each cached record in the connection state cache has a record identifier that is defined in terms of data message identifiers (e.g., five-tuple identifiers). In these embodiments, the process compares the received data message's identifier (e.g., five-tuple identifier) with the record identifiers of the cached records to identify any record with a record identifier that matches the received data message's identifier.

In the approach illustrated in FIG. 3, the GI agent 155 of the monitor agent 150 is the only module that registers with the notification services of endpoint machine to receive notifications of new data message flow events. In other embodiments, however, both the GI agent 155 and the firewall engine 160 of the monitor agent 150 register separately with the notification services of endpoint machine to receive notifications of new data message flow events. For such embodiments, FIGS. 4A and 4B illustrates alternative processes 400 and 402 that the GI agent 155 and the firewall service engine 160 perform to provide firewall services on an endpoint machine, such as GVM 164, containers 118, or bare metal server 116.

The process 400 starts when the GI agent 155 detects (at 405) a start of a new data message flow. As mentioned above, the GI agent 155 in some embodiments registers with one or more notification services on the endpoint machine to receive notification of each new data message flow. Accordingly, in some embodiments, the GI agent 155 detects (at 405) that a new data message flow has been started when the network stack of the GI agent's respective endpoint machine sends the GI agent a notification of a new requested data message flow. This notification in some embodiments includes a flow identifier (e.g., a five-tuple identifier) that identifies the newly detected message flow.

The GI agent 155 then interacts (at 410) with one or more modules (e.g., the notification service modules) of its endpoint machine to collect and store contextual attributes relating to the newly detected message flow. In some embodiments, these attributes include the name of the application associated with the detected message flow, the application version, the identifier (ID) of the user account that started the process associated with the data message flow, the group ID associated with the user account (e.g., the LDAP group to which the user account belongs), a threat level of the application, a resource consumption metric associated with the detected message flow, etc.

At 415, the GI agent 155 then stores the contextual attribute set that it collects (at 410) for the new data message flow. In some embodiments, the GI agent 155 stores in the contextual attribute set along with the flow identifier (e.g., the five tuple identifier including the source and destination IP addresses, source and destination ports and the protocol of the flow) in a data storage. The GI agent 155 so stores this data so that it can later provide the contextual data to the firewall engine 160 once the firewall engine 160 provides the flow identifier in a context-attribute query that it makes from the GI agent. After 415, the process 400 ends.

The process 402 starts when the firewall engine 160 detects (at 420) a start of a new data message flow. The firewall engine 160 in some embodiments registers with one or more notification services on the endpoint machine to receive notification of each new data message flow. Accordingly, in some embodiments, the firewall engine 160 detects (at 420) that a new data message flow has been started when the network stack of the firewall engine's respective endpoint machine sends the firewall engine a notification of a new requested data message flow. This notification in some embodiments includes a flow identifier (e.g., a five-tuple identifier) that identifies the newly detected message flow.

The firewall engine 160 then uses (at 425) the detected flow's identifier (e.g., the five-tuple identifier) to query the GI agent 155 for the contextual attribute set of the detected flow. The GI agent receives (at 430) this query and in response, uses (at 435) the flow's identifier to retrieve the contextual attribute set for this flow from its data storage. The firewall engine 160 receives (at 440) the contextual attribute set from the GI agent 155.

The firewall engine uses (at 445) the collected contextual attribute set to identify a firewall rule in a hierarchical firewall rule data storage that it maintains. In some embodiments, the firewall rules in this data storage have rule identifiers that are defined in terms of one or more contextual attributes, such as application name, application version, user ID, group ID, threat level, resource consumption level, etc. Also, in some embodiments, the rule identifiers can include the L2-L4 header values of the data messages. Accordingly, to identify the firewall rule in the PC data store, the firewall engine 160 in some embodiments compares the collected contextual attributes and/or the data message header values with the rule identifiers of the firewall rules to identify the highest priority rule that has an identifier that matches the collected attribute set.

When the process identifies (at 425) a firewall rule, it identifies (at 430) a firewall action (e.g., Allow, Drop, Redirect, etc.) of this rule, and then directs (at 435) a module on its endpoint machine (e.g., a module in the network stack of the endpoint machine) to perform the firewall operation based on the received action. For instance, when this operation is drop or redirect the data message, the service engine 160 in some embodiments directs the network stack of the OS to drop or redirect the data message. After 445, the process ends.

As was the case for the process 300, each time the firewall engine 160 identifies a firewall rule to process a new data message for the process 402, the firewall engine creates a record in a connection state cache to store the firewall action performed, so that when the firewall engine receives another data message within the same flow (i.e., with the same five-tuple identifier), it can perform the same firewall action that it performed on previous data messages in the same flow. In some embodiments, each cached record in the connection state cache has a record identifier that is defined in terms of data message identifiers (e.g., five-tuple identifiers). In these embodiments, the process compares the received data message's identifier (e.g., five-tuple identifier) with the record identifiers of the cached records to identify any record with a record identifier that matches the received data message's identifier.

FIG. 5 illustrates a process 500 that some embodiments perform to create, deploy and enforce endpoint service based firewall rules. As shown, the process initially generates (at 505) an inventory of existing applications that are running inside a particular network (e.g., a tenant's logical network) within a datacenter. The inventory is used to subsequently define service rules a further described below. In some embodiments, a set of service managers directs discovery agents running on a set of host computers to provide an inventory of all applications running on a set of endpoint machines executing on the set of host computers. The set of endpoint machines are endpoint machines that belong to the particular network.

For instance, in some embodiments, the particular network is a logical network of a particular tenant of the datacenter, and the set of endpoint machines are virtual machines, containers and/or bare metal servers of the particular tenant that execute on a set of host computers in the datacenter. In some embodiments, the set of endpoint machines includes (1) machines that execute on top of hypervisors executing on host computers and managed by the set of service managers, and (2) machines (e.g., bare metal computers, virtual machines, and/or containers) that are not managed by the set of service managers.

In some of these embodiments, the discovery engines only run on host computers managed by the set of service managers (e.g., host computers with certain type of hypervisors). However, the inventory data collected by these discovery engines can still be useful for formulating service rules to enforce on machines not managed by the set of service managers as unmanaged machines of a tenant often run many of the same applications as the managed machines of the tenant. Also, some embodiments provide controls (e.g., APIs or user interface controls) for the tenants to provide inventory data to supplement the inventory data collected by the discovery engines associated with the managed machines.

In some embodiments, the discovery engines and/or other modules on the host computers and service managers provide visualization tools to visualize data message flows to and from a guest triggered by various application processes. This information is available in the database of the service manager set, and forms part of the discovery platform. These features in some embodiments provide the functionality grouping applications into tiers and creating security groups that can be used as entities for defining firewall rules.

At 510, the process deploys an endpoint based firewall services at a host cluster level for the datacenter. This service is responsible for setting up the communication channel from the service manager set to the host and the guest to push the effective rules to each endpoint. In some embodiments, this involves deployment of the agents in every endpoint and establishing a trusted communication channel (e.g., RabbitMQ) between the endpoint machines and the set of service managers.

At 515, through the service manager framework, a network administrator specifies service policies. In some embodiments, this framework provides a user interface and/or a set of API through which administrators can define services policies. The service policies in some embodiments can be defined by reference to security groups. The framework in some embodiments can create, manage and apply the policies to security groups created by the process 500.

Once the administrator has created and applied the appropriate security policies with the service rules (which can be defined by reference to security groups), the service manager identifies (at 520) the endpoint machines to which the rules should be pushed. Since the manager has all the information of the desired state of the system including the tenant networks, the service manager pushes the effective set of rules per endpoint machine.

For example, a service rule might specify “All Firefox version 5 processes should not be allowed to access ANY endpoint machine on a tenant logical network X”. For such a rule, the rule span calculation is as follows in some embodiments. Based on the information gathered from endpoint monitoring feature, the service manager identifies endpoint machines that execute Firefox version 5. From this identified set of endpoint machines, the service manager then identifies which amongst them are on logical network X, by examining its database. The service manager then pushes the rules to host computers on which the endpoint machines reside.

Once the service rules are pushed from the service manager and distributed to the host computers with the identified endpoint machines, the rules are provided to the service engines and/or SVMs executing on these machines. For host computers with hypervisors managed by the service managers, the service rules are provided through one or more of the hypervisor communication channels to the service engines and/or SVMs. On the other hand, for host computers that do not have hypervisors managed by the service managers, the service rules are provided to the service engines 160 of the monitoring agents 150 executing on each endpoint machine.

As mentioned above, the monitoring agent 150 in some embodiments registers hooks into the endpoint machines OS (e.g., hooks into Windows Filtering Platform (WFP) of a Windows machine) to intercept network events and provide metadata about the connection. This metadata includes the process name, ID, hash, etc. In some embodiments, the service engine 160 of the monitoring agent 150 can store the service rules based on the 5 tuples and the contextual attributes (e.g., process information) provided by service manager. When an application process attempts to initiate a connection, the monitoring agent 150 trap the network event and attempts to match its contextual attributes (e.g., its process information and the destination field) with the configured service rules.

If there is a match, then the monitoring agent performs the appropriate service action. For instance, unlike other existing solutions, the enforcement in some embodiments does not happen at the network interface or the guest OS level but only for that process which would be allowed or denied to access the destination. Some service policies might not terminate or suspend a process, and could allow the process to run while its packets are being examined (e.g., through deep packet inspection) or replicated, or while the operation of the process itself are being replicated. Other service policies take a whitelisting approach and do not allow a rogue or un-sanctioned process to start by terminating the process after performing the service check. Accordingly, the service-management system of some embodiments can terminate and block some processes, while allowing other processes to proceed and be further inspected/replicated.

In some embodiments, the service management system has an ability to display the realized effective rule sets for every endpoint machine in a centralized manner. The security administrator would be able to view and monitor which endpoint based security policies are being enforced and which endpoint machines are contained under the application process based security groups. From a host computer, the feedback received from the network introspection driver is sent (at 530) according to a configurable frequency to the service manager via the same communication channel that was used to send the service rules from the service manager to the host computer. This feedback contains metadata that can be used for post processing and provide visibility of the endpoint based firewall policies applied on various workloads. The data collected in the manager would also be processed through an analytical engine to provide recommendations for enhanced rules to the administrator.

Many of the above-described features and applications are implemented as software processes that are specified as a set of instructions recorded on a computer readable storage medium (also referred to as computer readable medium). When these instructions are executed by one or more processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions. Examples of computer readable media include, but are not limited to, CD-ROMs, flash drives, RAM chips, hard drives, EPROMs, etc. The computer readable media does not include carrier waves and electronic signals passing wirelessly or over wired connections.

In this specification, the term “software” is meant to include firmware residing in read-only memory or applications stored in magnetic storage, which can be read into memory for processing by a processor. Also, in some embodiments, multiple software inventions can be implemented as sub-parts of a larger program while remaining distinct software inventions. In some embodiments, multiple software inventions can also be implemented as separate programs. Finally, any combination of separate programs that together implement a software invention described here is within the scope of the invention. In some embodiments, the software programs, when installed to operate on one or more electronic systems, define one or more specific machine implementations that execute and perform the operations of the software programs.

FIG. 6 conceptually illustrates a computer system 600 with which some embodiments of the invention are implemented. The computer system 600 can be used to implement any of the above-described hosts, controllers, and managers. As such, it can be used to execute any of the above described processes. This computer system includes various types of non-transitory machine readable media and interfaces for various other types of machine readable media. Computer system 600 includes a bus 605, processing unit(s) 610, a system memory 625, a read-only memory 630, a permanent storage device 635, input devices 640, and output devices 645.

The bus 605 collectively represents all system, peripheral, and chipset buses that communicatively connect the numerous internal devices of the computer system 600. For instance, the bus 605 communicatively connects the processing unit(s) 610 with the read-only memory 630, the system memory 625, and the permanent storage device 635.

From these various memory units, the processing unit(s) 610 retrieve instructions to execute and data to process in order to execute the processes of the invention. The processing unit(s) may be a single processor or a multi-core processor in different embodiments. The read-only-memory (ROM) 630 stores static data and instructions that are needed by the processing unit(s) 610 and other modules of the computer system. The permanent storage device 635, on the other hand, is a read-and-write memory device. This device is a non-volatile memory unit that stores instructions and data even when the computer system 600 is off. Some embodiments of the invention use a mass-storage device (such as a magnetic or optical disk and its corresponding disk drive) as the permanent storage device 635.

Other embodiments use a removable storage device (such as a floppy disk, flash drive, etc.) as the permanent storage device. Like the permanent storage device 635, the system memory 625 is a read-and-write memory device. However, unlike storage device 635, the system memory is a volatile read-and-write memory, such a random access memory. The system memory stores some of the instructions and data that the processor needs at runtime. In some embodiments, the invention's processes are stored in the system memory 625, the permanent storage device 635, and/or the read-only memory 630. From these various memory units, the processing unit(s) 610 retrieve instructions to execute and data to process in order to execute the processes of some embodiments.

The bus 605 also connects to the input and output devices 640 and 645. The input devices enable the user to communicate information and select commands to the computer system. The input devices 640 include alphanumeric keyboards and pointing devices (also called “cursor control devices”). The output devices 645 display images generated by the computer system. The output devices include printers and display devices, such as cathode ray tubes (CRT) or liquid crystal displays (LCD). Some embodiments include devices such as a touchscreen that function as both input and output devices.

Finally, as shown in FIG. 6, bus 605 also couples computer system 600 to a network 665 through a network adapter (not shown). In this manner, the computer can be a part of a network of computers (such as a local area network (“LAN”), a wide area network (“WAN”), or an Intranet, or a network of networks, such as the Internet. Any or all components of computer system 600 may be used in conjunction with the invention.

Some embodiments include electronic components, such as microprocessors, storage and memory that store computer program instructions in a machine-readable or computer-readable medium (alternatively referred to as computer-readable storage media, machine-readable media, or machine-readable storage media). Some examples of such computer-readable media include RAM, ROM, read-only compact discs (CD-ROM), recordable compact discs (CD-R), rewritable compact discs (CD-RW), read-only digital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a variety of recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.), flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.), magnetic and/or solid state hard drives, read-only and recordable Blu-Ray® discs, ultra-density optical discs, any other optical or magnetic media, and floppy disks. The computer-readable media may store a computer program that is executable by at least one processing unit and includes sets of instructions for performing various operations. Examples of computer programs or computer code include machine code, such as is produced by a compiler, and files including higher-level code that are executed by a computer, an electronic component, or a microprocessor using an interpreter.

While the above discussion primarily refers to microprocessor or multi-core processors that execute software, some embodiments are performed by one or more integrated circuits, such as application specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs). In some embodiments, such integrated circuits execute instructions that are stored on the circuit itself.

As used in this specification, the terms “computer”, “server”, “processor”, and “memory” all refer to electronic or other technological devices. These terms exclude people or groups of people. For the purposes of the specification, the terms display or displaying means displaying on an electronic device. As used in this specification, the terms “computer readable medium,” “computer readable media,” and “machine readable medium” are entirely restricted to tangible, physical objects that store information in a form that is readable by a computer. These terms exclude any wireless signals, wired download signals, and any other ephemeral or transitory signals.

While the invention has been described with reference to numerous specific details, one of ordinary skill in the art will recognize that the invention can be embodied in other specific forms without departing from the spirit of the invention. For instance, several figures conceptually illustrate processes. The specific operations of these processes may not be performed in the exact order shown and described. The specific operations may not be performed in one continuous series of operations, and different specific operations may be performed in different embodiments. Furthermore, the process could be implemented using several sub-processes, or as part of a larger macro process. Thus, one of ordinary skill in the art would understand that the invention is not to be limited by the foregoing illustrative details, but rather is to be defined by the appended claims 

We claim:
 1. A method of performing services on an endpoint machine in a datacenter, the method comprising: on the endpoint machine, installing a guest introspection (GI) agent and a service engine; with a set of one or more notification services on the endpoint machine, registering the GI agent to receive notifications regarding new process launch events occurring on the endpoint machine; after receiving at the GI agent a notification regarding a new launched process on the endpoint machine, obtaining a set of contextual data items regarding the new launched process, and storing the captured contextual data items; and using the set of contextual data items at the service engine to perform a process-control service on new launched process.
 2. The method of claim 1, wherein the GI agent notifies the service engine of the new launched process.
 3. The method of claim 2, wherein the GI agent provides at least one captured contextual data item to the service engine along with the notification of the new launched process.
 4. The method of claim 2, wherein the service engine retrieves from a storage at least one contextual data item that the GI agent stores in the storage for the new launched process.
 5. The method of claim 1 further comprising with a set of one or more notification services on the endpoint machine, registering the service engine to receive notifications regarding new process launch events on the endpoint machine; through a notification, the service engine identifying the new launched process and performing a service on the identified processes based on the set of contextual data items stored for the process by the GI agent.
 6. The method of claim 1, wherein the process-control service is a service that determines whether the process should be allowed, terminated, have its operations replicated, be designated for malware inspection, or have the data messages that it sends or receives be subject to deep packet inspection.
 7. The method of claim 1, wherein the service engine performs the service based on a set of service rules each of which comprises a rule identifier and a service action, the rule identifiers of at least a subset of service rules defined by reference to at least one contextual data item.
 8. The method of claim 1, wherein the endpoint machine is a bare metal machine.
 9. The method of claim 1, wherein the endpoint machine is a container.
 10. The method of claim 1, wherein the endpoint machine is a virtual machine.
 11. A non-transitory machine readable medium comprising sets of instructions for execution by at least one hardware processing unit of a computer to perform services on an endpoint machine in a datacenter, wherein a guest introspection (GI) agent and a service engine are installed on the endpoint machine, the sets of instructions for: on the endpoint machine, installing a guest introspection (GI) agent and a service engine; with a set of one or more notification services on the endpoint machine, registering the GI agent to receive notifications regarding a set of process events occurring on the endpoint machine; after receiving at the GI agent a notification regarding a process event on the endpoint machine, obtaining a set of contextual data items regarding the process event, and storing the captured contextual data items; and using the set of contextual data items at the service engine to perform a process-control service for the process associated with the notification's process event.
 12. The non-transitory machine readable medium of claim 11, wherein the GI agent notifies the service engine of the process event.
 13. The non-transitory machine readable medium of claim 12, wherein the GI agent provides at least one captured contextual data item to the service engine along with the notification of the new launched process.
 14. The non-transitory machine readable medium of claim 12, wherein the service engine retrieves from a storage at least one contextual data item that the GI agent stores in the storage for the process event.
 15. The non-transitory machine readable medium of claim 11, wherein the sets of instructions further comprises sets of instructions for: registering, with a set of one or more notification services on the endpoint machine, the service engine to receive notifications regarding the set of process events on the endpoint machine; through a notification, identifying a new process event at the service engine and performing a service on the process associated with the new process event based on the set of contextual data items stored for the process by the GI agent.
 16. The non-transitory machine readable medium of claim 11, wherein the contextual data items include data other than layer 2, layer 3 and layer 4 header values of the data messages.
 17. The non-transitory machine readable medium of claim 11, wherein the contextual data items include layer 7 data tuples.
 18. The non-transitory machine readable medium of claim 11, wherein the contextual data items include at least one of process identifier and user group identifier.
 19. The non-transitory machine readable medium of claim 11, wherein the endpoint machine comprises one of a bare metal machine, a container, and a virtual machine. 